If you run a business in Saudi Arabia in the financial services, fintech, or related sectors, you've probably encountered two acronyms that create more confusion than almost anything else in Saudi cybersecurity compliance: SAMA CSF and NCA ECC.
Both are mandatory cybersecurity frameworks. Both apply in Saudi Arabia. Their requirements overlap significantly. But they are not the same thing, they don't apply to the same organisations in the same way, and trying to manage one without understanding the other is a common and expensive mistake.
This is the clear explanation most businesses need and rarely get.
What SAMA CSF Is
The Saudi Arabian Monetary Authority Cybersecurity Framework — the SAMA CSF — was published by the Saudi Central Bank (formerly SAMA) and applies specifically to organisations regulated by SAMA. This includes:
- Banks and financial institutions
- Insurance companies
- Finance companies
- Payment service providers and fintech firms with a SAMA licence
- Exchange companies
The SAMA CSF is a detailed, risk-based framework structured around four domains: Cybersecurity Leadership and Governance, Cybersecurity Risk Management and Compliance, Cybersecurity Operations and Technology, and Third-Party Cybersecurity. It is comprehensive — running to over 100 specific controls — and SAMA-regulated entities are subject to examination against it.
SAMA CSF compliance is not aspirational for regulated financial entities. It is expected, examinable, and non-compliance carries regulatory consequences.
What NCA ECC Is
The National Cybersecurity Authority Essential Cybersecurity Controls apply more broadly to Saudi government entities and organisations in the national critical information infrastructure — which includes healthcare, energy, water, telecoms, financial services, and transport.
Where SAMA CSF is deep and sector-specific, the NCA ECC is designed as a baseline — the minimum set of controls that all in-scope organisations should have implemented. There are approximately 29 main controls and 114 sub-controls in the current version.
Where They Overlap — and Where They Diverge
For a SAMA-regulated financial services firm, both frameworks apply simultaneously. The good news is that there is substantial overlap — an organisation that is genuinely SAMA CSF compliant will have satisfied a significant proportion of the NCA ECC requirements in the process.
However, the overlap is not complete. There are areas where:
- SAMA CSF goes further — particularly in third-party risk management, incident response, and business continuity planning for financial services contexts
- NCA ECC adds requirements — particularly around governance documentation and industrial control systems that may not be covered in SAMA CSF
- The framing differs — SAMA CSF is risk-based and requires documented risk assessments; NCA ECC is more prescriptive and control-focused
The most common mistake is treating one framework as a proxy for the other. A SAMA-regulated fintech that assumes SAMA CSF compliance automatically means NCA ECC compliance — or vice versa — is likely carrying compliance gaps they don't know about.
Which One Applies to You?
You are SAMA-regulated:
Both frameworks apply. SAMA CSF is your primary obligation and the framework against which you will be examined by SAMA. NCA ECC is an additional layer. The right approach is to complete a SAMA CSF assessment first and use the gap analysis to also map NCA ECC compliance.
You are in financial services but not directly SAMA-regulated:
For example, a technology provider serving financial institutions, or a professional services firm with significant financial sector clients. NCA ECC applies. SAMA CSF may also be required contractually by your clients. This is increasingly common — large Saudi banks now require third-party suppliers to demonstrate SAMA CSF alignment as a condition of onboarding.
You are in healthcare, logistics, or professional services:
NCA ECC applies. SAMA CSF does not directly apply, though if you process payment data you should also be aware of PCI DSS requirements. If you handle personal data — which you almost certainly do — Saudi PDPL applies separately.
A Practical Starting Point
Rather than treating compliance as two separate projects, the most efficient approach is a combined gap assessment that maps your current controls against both frameworks simultaneously — identifying where you satisfy both, where you satisfy one but not the other, and where gaps exist in both.
This gives you a single prioritised remediation roadmap rather than two parallel workstreams, and it produces documentation that satisfies both the NCA and SAMA examination processes.
Compliance in Saudi Arabia's regulated sectors is genuinely complex. The frameworks are well-designed and the intent is sound — but the interaction between them is rarely explained clearly. The businesses that navigate it most successfully are those that understand the full picture before they start, rather than discovering gaps during an examination or, worse, during an incident.